Meeting FISMA Training

Requirements through
Security Awareness and
Role-Based Training:
An FBI Case Study

ITSL
Information Technology
Security Library

address
ph
web

8270 Willow Oaks Corporate

Dr., Suite 210
Fairfax, VA 22031
[703] 564.0330
www.karta.com

IT Security - Whats at Stake

Information Privacy - Confidentiality
Provision of Services - Availability
Data Manipulation - Integrity
Critical Roles and Missions
National Infrastructure
Agency Reputation

IT Security - Alarming Statistics

98% have firewalls and 73% have IDS,
yet 36% report penetration from the outside.
99% use anti-virus software, yet 82%
have been hit by viruses, worms, etc.
84% blame their most recent security
breach on human error.
50% increase in intrusions in the past 5 years
90% detected computer security breaches.
75% acknowledged financial losses due to breaches.

Sources: 2003 CSI/FBI Computer Crime and Security

Survey & 2004 CompTia Survey

Case Study: FBI

Case Study Overview
Mission:
In response to the Federal Information Security Management Act (FISMA) of
2002, the Federal Bureau of Investigation began searching for a comprehensive
training solution. The solution needed to be recognized by the intelligence
community, cost-effective, flexible and easily deployed across the organization.

The FBI performed a careful evaluation of the many training options available to
them, and chose the one solution that is recognized by the National Security
Agency, offers CNSS/NSA certification, is mapped to NIST standards and could
be easily deployed across the organization.

Case Study: FBI

Internal Needs

Consistent training across organization

With offices spread across all 50 states and a common mission, a shared
knowledge base is critical

Large number of employees in need of mandatory training

Training recognized by the Intelligence community

Case Study: FBI

Internal Needs

Prevention of security breeches and to protecting data integrity

The FBIs network stores highly sensitive data for a variety of ongoing
investigations. Data loss is more than an inconvenience it could
negatively impact national security, criminal prosecutions or individuals
in the witness protection program.

The FBI is a high-profile target for malicious intruders seeking

information or to disrupt operations

Case Study: FBI

External Pressures

FISMA

Reputation

Malicious Intruders

Case Study: FBI

External Pressures

FISMA
General Information Security Awareness provided to every computer
user in organization

Role-based Information Security training available to all employees

and contractors with network access/responsibility

Case Study: FBI

External Pressures

Reputation

Foremost law enforcement agency in the United States

External critics seeking to exploit a misstep for political gain

Avoid high-profile and negative publicity

Case Study: FBI

External Pressures

Malicious Intruders

The FBIs status makes it a prime target for individuals seeking

unauthorized access
Hackers seeking to disrupt operations
Criminals wishing to disrupt investigations

Case Study: FBI

Possible Solution: Instructor-led Training
Advantages

Meets FISMA Requirements

Disadvantages

Expensive
Requires employees to spend time
away from their regular duties
Time-consuming
Impractical for an organization with
employees in every State and
major city in the country
A number of courses are required
for a complete solution

Case Study: FBI

Possible Solution: Generic Computer-Based Training
Advantages

Meets FISMA Requirements

Employees can complete training
in office
Consistent training across
organization

Disadvantages

No Recognized Credentials
Limited number of options and
courses
Outdated information
No external incentive to
complete coursework
No tracking and reporting if run
locally

Case Study: FBI

Possible Solution: Karta IT Security Library

Advantages

Meets FISMA Requirements

Employees can complete training in

office

Consistent training across organization

Certified by the NSA

Provides students with option to earn

Continuing Professional Education
credits for certifications issued by (ISC)2

80+ courses for professionals with

responsibility for information security and
the organizations network

Program support

Free customized Information Security

Awareness course.

Students can earn CNSS/NSA

Certification in Systems Administration

Tracking and reporting available

Disadvantages

Case Study: FBI

Program Success:
Over 95% of FBI Employees took the IT Security Awareness course,
exceeding their goal
Customized IT Security Awareness course was a vital tool in disseminating
information about a new operating baseline within the organization
CNSS/NSA Certified staff across the organization
Organization-wide training provided for those individuals playing a key role
in keeping the country safe and secure
Employees view this training opportunity as a major benefit of working for
the FBI
Employees dedicating free time to improving their job skills
Simplified training plans based on roles and responsibilities

FBIs IT Security Training Solution

Role-based
IT Security
Training

Rollout
Support

Industry
Recognized
Content

IT Security
Training
Solution

IT Security
Awareness

Tracking &
Reporting

Role-Based IT Security Training

80+ IT
Security
Courses

4
Learning
Tracks

IT
Security
Library

3
Skill Levels

18
Training
Plans

Promotes
Individualized
Learning

Learning Tracks
4
Learning Tracks

Security
Policy/
Guidelines

Data
Security

Network
Security

Security
Planning

Industry Recognized Content

NSA & CNSS Certification

Continuing Professional
Education Credits (CPE)

The Karta IT Security Training

curriculum received National Security
Agency (NSA) and Committee on
National Security Systems (CNSS)
Certification by meeting national
standards for NSTISSI No. 4013
through 2006.

Individuals holding Certified Information

Systems Security Professional (CISSP)
or System Security Certified
Practitioner (SSCP) can earn CPE
credit for each hour of education
accomplished in Kartas IT Security
Library from (ISC)2.

Industry Recognized Content

ACE College Credit Recommendations
Karta received College Credit Recommendations for the IT Security Library
A team of content specialists from the American Council on Education
(ACE), selected from college faculty, has reported that Kartas web-based
IT Security courses are comparable to college level courses and may be
used as transfer credit at many colleges and universities

Role-Based Training Plans

Based on NIST Special Publication 800-16
NIST SP 800-16 IT Security Training Matrix

Job Function
Training Cross References

as seen in the ITSL Course Catalog

Role-Based Training Plans

Based on NIST Special Publication 800-16
Course to NIST SP-800-16 Cross
Reference

Sample Training Plans

as seen in the ITSL Course Catalog

Role-Based Training Plans

18 Role-Based Training Plans
Information Security Officer
IT Program Manager

Systems Designer
System Developer

Network Administrator
Systems Administrator

Tech. Support Personnel

Data Center Manager

Database Administrator
Programmer

Systems Operations Personnel

Information Resources Manager

Systems Analyst
System Owner

Information Resources Manager

Official
End User
Designated Approving Authority
Certification Reviewer

IT Security Training Project Support

Enterprise-Wide Support
Comprehensive rollout/internal support
Implementation planning
Structured marketing support

Sample marketing essentials include: marketing plan with specific

success criteria, email templates, flyers, brochures,
user guides, and more.

Project tracking and support

Management of reporting (FISMA)
Program coordination/communication

Features & Infrastructure

Browser Playable; No Plug-ins; Minimal
Bandwidth Requirements

User friendly; technical challenge

avoidance

Electronic Registration and Reporting

Simplified accessibility and tracking

Pre and Post Assessments

Individualized learning

Embedded Questions and Exercises

Reinforced learning

Courseware Mentoring Online SME

24/7 (Optional)

Interactive support

Help Desk

User Acceptance

Hosting

Accessibility

A Turn Key Solution

Karta Contacts

George Soltys
Senior Manager, IT Security Training
Karta Technologies, Inc.
703.564.0341
703.309.3038 (cell)
gsoltys@karta.com